Implementing DMARC, DKIM, and SPF Email Security
Overview
SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate message integrity, and define policies for handling unauthenticated mail. Proper implementation drastically reduces phishing attacks that impersonate your organization's domain.
When to Use
- When deploying or configuring implementing dmarc dkim spf email security capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- DNS management access for your domain
- Access to email server/MTA configuration (Postfix, Exchange, Google Workspace, Microsoft 365)
- Basic understanding of DNS TXT records
- Python 3.8+ for validation scripts
Key Concepts
SPF (Sender Policy Framework)
Publishes a DNS TXT record listing authorized IP addresses and mail servers that can send email on behalf of your domain. Receiving servers check the envelope sender's IP against this list.
DKIM (DomainKeys Identified Mail)
Adds a cryptographic signature to outgoing emails using a private key. The corresponding public key is published in DNS. Receivers verify the signature to ensure the message was not altered in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
Builds on SPF and DKIM by specifying a policy (none/quarantine/reject) for messages that fail authentication, and provides a reporting mechanism to monitor spoofing attempts.
Workflow
Step 1: Audit Current State
# Check existing SPF record
dig TXT example.com | grep spf
# Check existing DKIM selector
dig TXT selector1._domainkey.example.com
# Check existing DMARC record
dig TXT _dmarc.example.com
Step 2: Implement SPF
# DNS TXT record for example.com
v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:spf.protection.outlook.com -all
Key SPF mechanisms:
ip4:/ip6:- Authorize specific IP rangesinclude:- Include another domain's SPF recorda- Authorize domain's A record IPsmx- Authorize domain's MX record IPs-all- Hard fail all others (recommended)~all- Soft fail (monitoring phase)
Step 3: Implement DKIM
# Generate DKIM key pair (2048-bit RSA)
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
# Format public key for DNS (remove headers, join lines)
grep -v "PUBLIC KEY" dkim_public.pem | tr -d '\n'
DNS TXT record at selector1._domainkey.example.com:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...
Step 4: Implement DMARC
# DNS TXT record at _dmarc.example.com
# Phase 1 (Monitor):
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100
# Phase 2 (Quarantine):
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=25
# Phase 3 (Reject):
v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100
Step 5: Monitor and Analyze DMARC Reports
Use the scripts/process.py to parse DMARC aggregate XML reports and identify authentication failures, unauthorized senders, and spoofing attempts.
Tools & Resources
- MXToolbox: https://mxtoolbox.com/SuperTool.aspx
- DMARC Analyzer (dmarcian): https://dmarcian.com/
- Google Postmaster Tools: https://postmaster.google.com/
- Valimail DMARC Monitor: https://www.valimail.com/
- DMARC Report Analyzer: https://dmarc.postmarkapp.com/
Validation
- SPF record passes validation at mxtoolbox.com
- DKIM signature verified on test emails
- DMARC record properly formatted and reporting enabled
- Test emails pass all three checks in recipient's Authentication-Results header